Question

我想做什么：与openssl -connect建立一个与远程站点的干净连接。

网站似乎是自签名的。

What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)

我尝试过：

echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem

sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/

我也试过

openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem 
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem

结果

ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate

我已经更改了CN / Hostname来保护自己。但主机名也会添加到我的主机文件中，以防它有用。

截尾的PEM文件

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            64:c7:48:64:00:00:00:00:00:d0
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
        Validity
            Not Before: Mar  7 22:41:45 2015 GMT
            Not After : Mar  6 22:41:45 2016 GMT
        Subject: CN=DC01.home.pri
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    <CENSORED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2: 
                . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            S/MIME Capabilities: 
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, DNS:DC01.home.pri
            X509v3 Subject Key Identifier: 
                <CENSORED>
            X509v3 Authority Key Identifier: 
                keyid:<CENSORED>

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
                  URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha1WithRSAEncryption
         <CENSORED>

Answer 1

您发布的证书不是自签名的;发行人（DC=pri, DC=home, CN=home-HOMECA-CA）与主题（CN=DC01.home.pri）不同。

在验证证书时，OpenSSL无法为发布者（或在TLS握手期间从Web服务器接收的链中的第一个证书的颁发者）找到用于验证签名的本地证书。

您需要提供openssl verify 颁发者证书（或将其存放在您的信托存储中）：

openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem

无法openssl验证SSL证书

1 个答案: